salt.modules.keystore

Module to interact with keystores

salt.modules.keystore.add(name, keystore, passphrase, certificate, private_key=None)

Adds certificates to an existing keystore or creates a new one if necesssary.

Parameters:
  • name -- alias for the certificate

  • keystore -- The path to the keystore file to query

  • passphrase -- The passphrase to use to decode the keystore

  • certificate -- The PEM public certificate to add to keystore. Can be a string for file.

  • private_key -- (Optional for TrustedCert) The PEM private key to add to the keystore

CLI Example:

salt '*' keystore.add aliasname /tmp/test.store changeit /tmp/testcert.crt
salt '*' keystore.add aliasname /tmp/test.store changeit certificate="-----BEGIN CERTIFICATE-----SIb...BM=-----END CERTIFICATE-----"
salt '*' keystore.add keyname /tmp/test.store changeit /tmp/512.cert private_key=/tmp/512.key
salt.modules.keystore.get_sha1(certificate)

Returns the SHA1 sum of a ASN1/PEM certificate

Parameters:

name -- ASN1/PEM certificate

CLI Example:

salt '*' keystore.get_sha1 "(certificate_content_string)"
salt.modules.keystore.list(keystore, passphrase, alias=None, return_cert=False)

Lists certificates in a keytool managed keystore.

Parameters:
  • keystore -- The path to the keystore file to query

  • passphrase -- The passphrase to use to decode the keystore

  • alias -- (Optional) If found, displays details on only this key

  • return_certs -- (Optional) Also return certificate PEM.

Warning

There are security implications for using return_cert to return decrypted certificates.

CLI Example:

salt '*' keystore.list /usr/lib/jvm/java-8/jre/lib/security/cacerts changeit
salt '*' keystore.list /usr/lib/jvm/java-8/jre/lib/security/cacerts changeit debian:verisign_-_g5.pem
salt.modules.keystore.remove(name, keystore, passphrase)

Removes a certificate from an existing keystore. Returns True if remove was successful, otherwise False

Parameters:
  • name -- alias for the certificate

  • keystore -- The path to the keystore file to query

  • passphrase -- The passphrase to use to decode the keystore

CLI Example:

salt '*' keystore.remove aliasname /tmp/test.store changeit